[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#47670] [PATCH 0/2] Add updater for packages hosted as SourceHut Git

From: Ludovic Courtès
Subject: [bug#47670] [PATCH 0/2] Add updater for packages hosted as SourceHut Git repositories
Date: Tue, 27 Jul 2021 12:19:46 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)


Replying to an old message…

Xinglu Chen <> skribis:

> On Sun, Jun 06 2021, Ludovic Courtès wrote:


>>> Umm, the 'upstream-source-compiler' uses 'url-fetch' to fetch the url, I
>>> guess we would have to make it support Git repositories first.
>> Yes, that’s a limitation of (guix upstream) right now.
>> ‘%method-updates’ was a first step in the direction of supporting Git
>> repos.
> One of the problems with adding support for Git repos in (guix upstream)
> was that Libgit2 (and by extension Guile-Git) doesn’t provide an API for
> verifying tags, the I only way I know of is to run ‘git verify-tag’ in
> the shell.  There is a ‘git_commit_extract_signature’ API, but it only
> for individual commits, and since the majority of people don’t sign
> their commits it means that a most of the time its not going to be able
> to verify the checkout.

The (guix git-authenticate) commit has code that retrieves the OpenPGP
signature and checks it.  It can serve as inspiration.

>> Now, I agree with Léo that (1) this is not SourceHut-specific, and (2)
>> it should not download generated archives.
>> Also, I’d prefer to have the code rely on Guile-Git to list tags rather
>> than invoking ‘git’, if possible.
> Libgit2 has a ‘git_tag_list’ API, though it doesn’t seem like Guile-Git
> supports it.

Ah, we could add it.

>> Perhaps that code could leave in its own (guix import git) module or
>> similar, rather than in (guix gnu-maintenance), which already has
>> little to do with GNU maintenance at this point.  :-)
> Yeah, I think that’s a good idea :)


reply via email to

[Prev in Thread] Current Thread [Next in Thread]